ssh-agent for kerberos-like authentication to my own daemon?

[Kaelin Colclasure]

Greetings,

I am writing a daemon which will be deployed internally across a largish
server farm. I am also writing the client program a user runs to invoke
operations at said daemon. The client communicates with one or more
daemons simultaneously using a simple UDP-based protocol.

I would like to add authentication to this protocol. From what I have
read of such things, Kerberos-style tickets seem perfect for this kind
of application -- but I am quite reluctant to approach the operations
folks and propose they set up and maintain a Kerberos domain. (A spot
lynching might ensue.) Right now we use OpenSSH on all of the machines
and up 'till now it has met all our needs.

SO, I'm wondering if it's possible to formulate a simple-yet-secure
handshake that takes advantage of the SSH infrastructure we already have
deployed. Something like a simple ticket generated and signed by the
client, with which my daemon can do the following:

  - Check the timestamp against a +/-5 minute window (like Kerberos)
  - Verify the message is not in a 10-minute anti-replay cache
  - Check the signature against the user's locally stored public key
  - Assuming all this looks good, check a local access list, and
  - Run the operation only if the user is authorized

I'm not chartered to spend a lot of time on this aspect of this daemon,
but the site is a somewhat high-profile target, so it's worth a bit of
effort to come up with something that can't trivially be broken or
bypassed.

Is this a reasonable idea? Is the code in OpenSSH that I can use to
implement it reasonably quickly?

-- Kaelin